Rootless & introduction of configuration service

[Diman0]

As discussed during last meeting, we want to move to rootless. This means we need a configuration (init) service/container that handles initializing all configuration.

We also discussed that this container could be used to handle configuring Mailu for the first time. We looked at the nextcloud all-in-one that is a good example.

I was thinking to do this in two phases (two PRs). Phase one implements the initial configuration service/container and moving to rootless. Phase two (a second PR after Phase one) will look into adding a configuration wizard and container management. We can discuss Phase two in a new issue after phase one is complete.

Phase one (this issue) requirements:

• All services run rootless.
  • 'Run rootless' means that the CMD/ENTRYPOINT program (start.py) is started with a local user (with name mailu) that has no root privileges.
• GID/UID for the Mailu user can be configured by the user.
  • This means that at least all host-mounted files/folders for each container must have the GID/UID of the user.
• Initial configuration (jinja scripting) is handled by the configuration service.
• Overrides are processed by the configuration service.

Implementation:

• All mailu services (but the configuration service)
  • Start.py will be modified. After startup the container enters a while loop. In the while loop it will call an endpoint of the configuration service to check if the configuration service is done. When the configuration service is done, the endpoint will return a returncode 200 and the service will actually start.
• configuration service
  • Uses the python docker api (the docker socket will be host mounted to enable this) for:
    • via docker api pull all configuration files
    • locally perform all jinja scripting.
    • If applicable, locally process the overrides.
    • via docker api push the initialized configuration files back to each service.
    • If applicable via docker exec process overrides on each service. E.g. for the postfix service (postconf -e ...)
    • Via docker exec, set the correct file permissions for each container to the mailu GID/UID.
  • Via flask, provide an endpoint that returns code 200 when it has finished doing the configuration.

Technically the configuration service can also run rootless. Via the docker exec functionality we can run commands as root.

@nextgens @ghostwheel42 Can you provide your thoughts. Do the requirements match with your idea what we discussed during last meeting? I just want to make when I start with the above, it does align with what you were thinking.